[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: windows authentication & openldap: explanation.

To: openldap-software@OpenLDAP.org
Subject: Re: windows authentication & openldap: explanation.
From: Jim C <jcllings@tsunamicomm.net>
Date: Mon, 29 Jul 2002 23:33:53 -0700
References: <F190PGxgelXDeqoMIOG00003eea@hotmail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3

This thread is riight up the alley of my most recent headache. ;-) First off let me warn you guys that I am a student and that I am working on a accedemic project. Consequently, purchased solutions are out.

In order to authenticate a Windows based client I am trying to use the pGINA module with the LDAP plugin. I've not be able to figure out the configureattion despite haveing a Unix ldap.conf that works to use as a base. I can email this to anyone who wants to help.

Any tips I can get on this would be most helpful. Esepcailly any windows based trouble shooting tricks. The windows based cleint is a Win2K box. I am basically trying to figure out the differenece between what the client is sending and what the server expects.

Alternatively, if there is an easier (cheap) way to authenticate a Windows based client , I am all ears.

Thanks,

Jim C.

yes that does answer my question, thanks alot. and thanks to kevin for the links to pgina and psynch. -brian
From: David Wright <ichbin@shadlen.org>
To: brian jones <bj_rui@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: windows authentication & openldap: explanation.
Date: Fri, 26 Jul 2002 14:51:47 -0700 (PDT)
How Unix authentication works: 1. Server (or /etc/passwd) stores a hashed password, e.g. "{ROT-1}tfdsfu" 2. Client hands server the cleartext of the user input, e.g. "secret" 3. Server hashes the client user input and compares it with the stored hased password. If they match, it returns TRUE.
How Windows authentication works:
1. Server stores cleartext of the password, e.g. "secret".
2. Server sends client a challenge, e.g. "abcdef".
3. Client hashes the client input and the challenge together, e.g.
"tgfvjz" and sends this response to the server.
4. Server hases the client input and the challenge together and compares
to the client's response. If they match, it retuns TRUE.
The Windows authentication has the advantage that the cleartext password is never sent over the wire. It the the disadvantage that the server must store the cleartext password.

OpenLDAP is designed to store hashed passwords, as is the Unix tradition. Since Windows authentication would require storing cleartext passwords, OpenLDAP doesn't implement the challenge/response model of Windows authentication.

You can get around this limitation. You can store a hashed password in the userPassword attribute and have your Unix clients authenticate off it via LDAP. You can also store a cleartext password in the smbPassword attribute and tell Samba to get passwords from LDAP. Samba implements the Windows challenge/response model and your Windows clients can authenticate off it.
You then need to do some scheming to make sure that the userPassword and
smbPassword attributes stay in sync.
That answer you question?
_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx

Follow-Ups:
- Re: windows authentication & openldap: explanation.
  - From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
- Re: windows authentication & openldap: explanation.
  - From: Adam Williams <adam@morrison-ind.com>

References:
- Re: windows authentication & openldap: explanation.
  - From: "brian jones" <bj_rui@hotmail.com>

Prev by Date: Re: How exactly does PAM figure into things? Was: Alternatives to LDAP
Next by Date: LDAP Authentication Slave
Index(es):
- Chronological
- Thread